G1033 Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.2134
| Item | Value |
|---|---|
| ID | G1033 |
| Associated Names | SEABORGIUM, Callisto Group, TA446, COLDRIVER |
| Version | 2.0 |
| Created | 14 June 2024 |
| Last Modified | 22 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| SEABORGIUM | 2 |
| Callisto Group | 1 |
| TA446 | 1 |
| COLDRIVER | 4 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails.3 |
| enterprise | T1583.001 | Domains | Star Blizzard has registered domains using randomized words and with names resembling legitimate organizations.13 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | Star Blizzard has used JavaScript to redirect victim traffic from an adversary controlled server to a server hosting the Evilginx phishing framework.3 |
| enterprise | T1586 | Compromise Accounts | - |
| enterprise | T1586.002 | Email Accounts | Star Blizzard has used compromised email accounts to conduct spearphishing against |
| contacts of the original victim.1 | |||
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.002 | Remote Email Collection | Star Blizzard has remotely accessed victims’ email accounts to steal messages and attachments.1 |
| enterprise | T1114.003 | Email Forwarding Rule | Star Blizzard has abused email forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access after compromised credentials are reset.21 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.001 | Social Media Accounts | Star Blizzard has established fraudulent profiles on professional networking sites to conduct reconnaissance.21 |
| enterprise | T1585.002 | Email Accounts | Star Blizzard has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.214 |
| enterprise | T1589 | Gather Victim Identity Information | Star Blizzard has identified ways to engage targets by researching potential victims’ interests and social or professional contacts.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.13 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Star Blizzard has sent emails with malicious .pdf files to spread malware.4 |
| enterprise | T1598 | Phishing for Information | - |
| enterprise | T1598.002 | Spearphishing Attachment | Star Blizzard has sent emails to establish rapport with targets eventually sending messages with attachments containing links to credential-stealing sites.2134 |
| enterprise | T1598.003 | Spearphishing Link | Star Blizzard has sent emails to establish rapport with targets eventually sending messages with links to credential-stealing sites.2134 |
| enterprise | T1593 | Search Open Websites/Domains | |
| Star Blizzard has used open-source research to identify information about victims to use in targeting.21 | |||
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | Star Blizzard has uploaded malicious payloads to cloud storage sites.4 |
| enterprise | T1539 | Steal Web Session Cookie | Star Blizzard has used EvilGinx to steal the session cookies of victims directed to |
| phishing domains.1 | |||
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.004 | Web Session Cookie | Star Blizzard has bypassed multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Star Blizzard has lured targets into opening malicious .pdf files to deliver malware.4 |
| enterprise | T1078 | Valid Accounts | Star Blizzard has used stolen credentials to sign into victim email accounts.21 |
| mobile | T1676 | Linked Devices | Star Blizzard has used the linked devices feature to connect WhatsApp accounts to adversary-controlled infrastructure and/or the WhatsApp Web portal for message exfiltration.5 |
Software
References
-
CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024. ↩↩↩↩↩↩↩↩↩
-
Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024. ↩↩↩↩↩↩↩
-
Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024. ↩↩↩↩↩↩↩↩↩
-
Microsoft Threat Intelligence. (2025, January 16). New Star Blizzard spear-phishing campaign targets WhatsApp accounts. Retrieved May 2, 2025. ↩